From a339baf94e5f4a5ab20813b539b25d4cb92685ca Mon Sep 17 00:00:00 2001 From: Marcel Juhnke Date: Thu, 31 Jan 2019 20:05:47 +0100 Subject: [PATCH 1/4] change cookie index separator to underscore --- oauthproxy.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/oauthproxy.go b/oauthproxy.go index 9c82d4f..6fee5df 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -329,7 +329,7 @@ func splitCookie(c *http.Cookie) []*http.Cookie { count := 0 for len(valueBytes) > 0 { new := copyCookie(c) - new.Name = fmt.Sprintf("%s-%d", c.Name, count) + new.Name = fmt.Sprintf("%s_%d", c.Name, count) count++ if len(valueBytes) < maxCookieLength { new.Value = string(valueBytes) @@ -357,7 +357,7 @@ func joinCookies(cookies []*http.Cookie) (*http.Cookie, error) { for i := 1; i < len(cookies); i++ { c.Value += cookies[i].Value } - c.Name = strings.TrimRight(c.Name, "-0") + c.Name = strings.TrimRight(c.Name, "_0") return c, nil } @@ -374,7 +374,7 @@ func loadCookie(req *http.Request, cookieName string) (*http.Cookie, error) { count := 0 for err == nil { var c *http.Cookie - c, err = req.Cookie(fmt.Sprintf("%s-%d", cookieName, count)) + c, err = req.Cookie(fmt.Sprintf("%s_%d", cookieName, count)) if err == nil { cookies = append(cookies, c) count++ From c57434608635a1cf53ba103744f10253cc68b266 Mon Sep 17 00:00:00 2001 From: Marcel Juhnke Date: Fri, 1 Feb 2019 18:10:44 +0100 Subject: [PATCH 2/4] add nginx cookie part extraction to README --- README.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/README.md b/README.md index 910a671..57505db 100644 --- a/README.md +++ b/README.md @@ -424,12 +424,46 @@ server { auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; + # if you enabled --set-authorization and your cookies are split into multiple parts, + # you also need to extract the additional cookies, because $upstream_http_set_cookie + # only contains the first Set-Cookie header from the auth_request. + auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; + + # Extract the Cookie attributes from the first Set-Cookie header and append them + # to the second part ($upstream_cookie_* variables only contain the raw cookie content) + if ($auth_cookie ~* "(; .*)") { + set $auth_cookie_name_0 $auth_cookie; + set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1"; + } + + # Send both Set-Cookie headers now if there was a second part + if ($auth_cookie_name_upstream_1) { + add_header Set-Cookie $auth_cookie_name_0; + add_header Set-Cookie $auth_cookie_name_1; + } + proxy_pass http://backend/; # or "root /path/to/site;" or "fastcgi_pass ..." etc } } ``` +If you use ingress-nginx in Kubernetes (which includes the Lua module), you also can use the following configuration snippet for your Ingress: + +```yaml +nginx.ingress.kubernetes.io/auth-response-headers: Authorization +nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$request_uri +nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth +nginx.ingress.kubernetes.io/configuration-snippet: | + auth_request_set $name_upstream_1 $upstream_cookie_name_1; + + access_by_lua_block { + if ngx.var.name_upstream_1 ~= "" then + ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)") + end + } +``` + ## Contributing Please see our [Contributing](CONTRIBUTING.md) guidelines. From cd37a14fc0177f196f2caeb8a396eca80afb3cca Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Sat, 2 Feb 2019 12:47:21 +0100 Subject: [PATCH 3/4] Added more context as suggested by JoelSpeed. Co-Authored-By: marratj --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 57505db..a27767a 100644 --- a/README.md +++ b/README.md @@ -424,7 +424,11 @@ server { auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; - # if you enabled --set-authorization and your cookies are split into multiple parts, + # When using the --set-authorization flag, some provider's cookies can exceed the 4kb + # limit and so the OAuth2 Proxy splits these into multiple parts. + # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response, + # so if your cookies are larger than 4kb, you will need to extract additional cookies manually. + auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; # you also need to extract the additional cookies, because $upstream_http_set_cookie # only contains the first Set-Cookie header from the auth_request. auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; From 72d4c49be016129557e2848beb8158f8638f6bfb Mon Sep 17 00:00:00 2001 From: "Marcel D. Juhnke" Date: Sat, 2 Feb 2019 15:00:10 +0100 Subject: [PATCH 4/4] remove duplicate lines --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index a27767a..4e02da3 100644 --- a/README.md +++ b/README.md @@ -429,9 +429,6 @@ server { # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response, # so if your cookies are larger than 4kb, you will need to extract additional cookies manually. auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; - # you also need to extract the additional cookies, because $upstream_http_set_cookie - # only contains the first Set-Cookie header from the auth_request. - auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; # Extract the Cookie attributes from the first Set-Cookie header and append them # to the second part ($upstream_cookie_* variables only contain the raw cookie content)